Chapter 6Cybercrimes

2

Spam

• Good marketing points?• Cheap• Highly effective

PgP BUSA331 Chapter 8

3

Spam

• Bad points?• Makes up 90% of U.S. e-mail!

PgP BUSA331

4

Spam Avoidance

• Never reply• Do not put email address on web site• Use alias email address in newsgroups• Do not readily give out email address• Use spam filter• Never buy from spam

PgP BUSA331

5

CAN-SPAM

• Controlling Assault of Non-Solicited Pornography and Marketing Act• Does not ban sending spam• Due to 1st Amendment, free speech

• Some states have more restrictive laws

PgP BUSA331

6

CAN-SPAM Requires

• Accurate email headers, valid return address• Opt-out procedures• Why not opt-in?

• Clear notice of opt-out• Compliance with opt-out within 10 days• Label commercial email as solicitation• Sender’s valid physical address• Warning labels on sexually oriented material

PgP BUSA331

7

CAN-SPAM Prohibits

• Misleading subject lines• Email address harvesting

PgP BUSA331

8

CAN-SPAM Enforcement

• FTC • AGs (Attorneys General)• ISPs• No private right of action

PgP BUSA331

9

CAN-SPAM Prosecutions

• Illinois, Florida, New York, California• Bottom line-has done little to impede the spam

onslaught

PgP BUSA331

10

State SPAM Laws

• Patchwork, non uniform• Jurisdictional questions• Opt-in requirements• Limited by first amendment issues

PgP BUSA331

11

Foreign SPAM Laws

• Main issue is enforcement

PgP BUSA331

12

Fighting SPAM

• FTC-Federal Trade Commission, truth in advertising laws• Trademark infringement • RICO-Racketeer Influenced and Corrupt

Organizations Act• Computer Fraud and Abuse Act, unauthorized

computer use to get email addresses

PgP BUSA331

13

Murking

• Bills vs Laws

PgP BUSA331

14

Mail Bombs

• Excessive email to overload server storage• Denial of service attack

PgP BUSA331

15

Permission Based Marketing• Legal, because requested• Opt-in• RSS feed sign up…

PgP BUSA331

Chapter 9Social Engineering and Identity Theft

17

Ultimate Goal

• Steal Passwords, Personally Identifiable Information- Your ‘Identity’• In order to profit• Internet enables this without physical contact

PgP BUSA331

18

Email Spoofing

• Forge email header• Appears email came from other than true sender• Why spoof?• Avoid identification under spam laws• Hide identity, avoid liability for illegal activity• Download Trojans to control computers• Obtain confidential information

PgP BUSA331

19

Phishing

• Use of official looking emails to trick people into revealing• Usernames• Passwords• Other Personally Identifiable Information

• Result- loss of confidence in web transactions

PgP BUSA331

20

Ice Phishing?

• No, but there is…• Personalized Phishing-target victim by name,

already have some info, hoping to get more• Spear Phishing-Pose as high level executive,

demand info• Effective against soldiers

• Whaling-Target high level executives• Lesson-think twice before clicking IM or email

hyperlink!

PgP BUSA331

21

Pharming

• Similar to phishing• Use web sites to obtain personal info• DNS exploits

PgP BUSA331

22

Identity Theft

• Goal-obtain key personal info• Falsely obtain goods & services• Sources• Database cracking• Social engineering• Pretexting• Survey

• Results-large $ loss• But credit cards safer on web

PgP BUSA331

23

Social Security Numbers

• de facto national identifier• Key to a person’s identity• SSNs can be found online in government records

PgP BUSA331

24

Personal Information Safeguard• Dumpster diving• Shred your garbage?

• Be mindful of https• Review credit reports• Do not reveal SSN unless a must• Wary of giving personal info• Overwrite old hard drives• Copy machine hard drives?

PgP BUSA331

25

Identity Theft Penalty Enhancement Act• Sounds good-mandatory jail time for possessing

identity info with intent of committing crime• Real issue-hold info handlers accountable for data

they collect

PgP BUSA331

26

CAAS?

• Have you heard of Software as a Service-SAAS? A hot new trend in technology• How about CAAS?• Crimeware as a Service

• Criminals Never Stop Innovating

PgP BUSA331

Chapter 10Cybercrimes Using Technology

28

Targets

• Computers (like yours!)• Internet Connection

PgP BUSA331

29

Terminology

• Beware-cybercrime terms (trojan, virus, malware…) often used interchangeably, but they are different

PgP BUSA331

30

Computer Cybercrime-Cookie Poisoning• Cookies-data to enhance web browsing experience• Cookie downside-tracking• Cookie poisoning-attacker modifies cookie• For protection, encrypt cookies

• Cookie Background at GRC

PgP BUSA331

31

Computer Cybercrime-Spyware• Tracks and forwards data without user consent• Uses computer for malicious purposes• Also slows performance, crashes computer• FTC investigates, has prosecuted under federal

computer privacy laws• Sears has used spyware on customers-oops• Steal user stock account login

• Sell portfolio• Manipulate stocks using account

• Avoid public computers, change passwords oftenPgP BUSA331

32

Computer Cybercrime-Drive-by Download• Program download without consent• Viewing web site or email

• Similar to spyware• Form of computer trespass• Avoid by using security software

PgP BUSA331

33

Computer Cybercrime-Malware• Virus-copies itself, infects computer• Worm-self replicating virus• Trojan horse-malicious program within harmless

program, like spyware-non-self-replicating• Used to take control

PgP BUSA331

34

Internet Connection Cybercrime-Wardriving• Using Wi-Fi laptop to map Wireless Access Points• Subsequent use of Internet connection is

telecommunications theft.

PgP BUSA331

35

Internet Connection Cybercrime-Piggy-backing• Using wireless internet connection without

permission• State laws vary• Countries vary

PgP BUSA331

36

Internet Connection Cybercrime-Issues• Others use your internet connection to commit

cybercrimes• Downloading child pornography

• Is a business liable for the unauthorized use of their unsecured wireless internet connection to commit a crime?• Courts not yet involved• Solution-secure / encrypt wireless access!

PgP BUSA331

37

What’s Next?

• Electromagnetic Keyboard Sniffing• Steal computer keypress/keystrokes from 65 feet away

wirelessly!• http://en.wikipedia.org/wiki/Keystroke_logging#Electro

magnetic_emissions

PgP BUSA331

Chapter 11Cybercrimes and Individuals

PgP BUSA331

Mule Scam

• Victim/mule (usually unknowingly) helps launder stolen online funds• Uses mule’s PayPal account to transfer defrauded

victim’s funds, • Mule paid commission from % of defrauded victim’s

funds• Defrauded victim contacts mule seeking funds back• eBay will require mule to pay innocent defrauded

victim

PgP BUSA331

Cyberstalking

• Using email, IM, blog… to harass victim• Also incite others against victim• Can be combined with real world stalking

PgP BUSA331

Corporate Cyberstalking

• Corporation stalking ex customer or ex employee• Or vice versa, but less likely

PgP BUSA331

Cyberstalking Law

• No federal law• State law varies• Harassment vs stalking• Harassment barred by 41 states

PgP BUSA331

Federal Statutes-Securities

• Spam, message boards and chat rooms used to hype stocks, trying to manipulate prices• Also violate state securities laws• SEC estimates 100 million stock spam messages per

week• IPO quiet time (90 day) can be violated by blog or

tweet

PgP BUSA331

USA PATRIOT Act

• Rushed response to 9/11 attacks• Amended many federal statutes• Civil liberty protections suffered• Lessened standard for government to intercept

electronic messages• Broad reach, beyond terrorists

PgP BUSA331

USA PATRIOT Act

• Subpoena of bank account and credit card numbers from ISPs• Request ISP to release customer info voluntarily• Danger in government labeling someone terrorist• Expansive search warrant powers• Secret ‘National Security Letters’ without court

order!• Declared unconstitutional in 2004

• FBI eavesdrops on computer traffic

PgP BUSA331

Online Gambling

• Est 2006 revenue-$12 billion• Est 2010 revenue-$25 billion-half from U.S.• State regulated• Internet issues- may be legal in other locations, but

not where bet is placed• Eight states outlaw online gambling• British online gambling execs arrested on U.S. soil

PgP BUSA331

Gambling Types

• Casino• Sports

PgP BUSA331

International Level

• No agreement, legal is some countries• Countries complain about U.S.• WTO declares U.S. out of compliance• Either let citizens gamble online• Or total ban (including lottery tickets)

PgP BUSA331

Wire Wager Act of 1961

• Prohibits use of wire transmission in interstate or foreign commerce of bets, wagers, information on them• Government must prove• Engaged in gambling• Interstate transmission of bets…• Used wire communication facility• Acted knowingly

PgP BUSA331

Unlawful Internet Gambling Enforcement Act-2006• Congress goes after money, not gamblers• Illegal to process gambling payments• But U.S. gamblers may use off-shore payment

processors

PgP BUSA331

Virtual Crime

• Online multiplayer environments• Habbo• Second Life

• Virtual goods, so virtual or actual theft?• Physical coercion to obtain virtual artifacts• Second Life does $1Million/day of commerce!• Will only get worse…